I am running Exchange 2013 on Server 2012 Datacenter (VM). Windows 7 clients with Outlook 2010 work fine. Windows XP clients with Outlook 2010 prompt for credentials (user name and password) each time Outlook is started, and checking the "Remember my password" box does not prevent this from happening the next time. The "Always prompt for logon credentials" checkbox on the "Security" tab of the "More Settings" section of the Exchange account is not checked. I have found a myriad of posts with similar issues, but they all seem to have to do with SBS/Exchange 2007, and I haven't come across something that works as a solution for me. One suggested certificate issues, and I was having certificate security warnings, but I got that resolved. I am hopefuly that the fact that this only happens on Windows XP will be telling.
I know this is Exchange 2013 and not Exchange 2010, but I suspect the issue is the same since the clients are Windows XP.
See:
Does the XP machine have the root and intermediate certificates for your issuer?
Is Outlook using TCP (RPC) or HTTP (Outlook Anywhere)? You can find out by using the Connection Status window. XP can have problems when the certificate's CN is not the same as the Outlook Anywhere hostname.
I'm not sure what the clients are using. They are using whatever they default to when they detect the Exchange account. To be more verboseI installed Exchange, and it generated a self-signed certificate. I started Outlook on the XP machines, and they automatically detected the Exchange server, but complained that they didn't trust the root (since the default certificate was self-signed). I added it to the Trusted Root section of the certificate store, and the complaint went away. Users had to log in to start Outlook, but there was no more warning about the certificate. Later, I installed a certificate for the external name, and then the XP machines started complaining about the name not matching, but the Windows 7 machines did not. External connections were still receiving the internal certificate, so I ran Enable-ExchangeCertificate to correct that, and then all machines started complaining about the certificate not matching. I used the steps in kb article 940726 to resolve that (I had actually taken most of the steps before finding the article). Once that was completed, no machines complained about mismatches. I am not sure whether or not intermediate certificates are missing from the certificate store, but I can tell you this: When I go to https://<externalfqdn>/owa, I am able to log in from the same XP machines that won't automatically log in from Outlook, and there is no certificate warning in IE.
I am going to try this:
Set-OutlookProvider EXPR -CertPrincipalName <externalfqdn>
I will respond tomorrow regarding whether or not it worked. However, since Get-OutlookProvider also shows EXCH and WEB, should I do the same for EXCH and/or WEB? Currently, that setting appears to be null for all three.
ETA: I am NOT using a wildcard certificate and I did NOT include "msstd:" before <externalfqdn>. Should I have?
- Edited by PRDIT Monday, November 19, 2012 11:19 PM
ETA: My post now shows at the bottom, but as the thread grows, with no new responses to my response or the OP, it moves further and further from here.
- Edited by PRDIT Monday, November 26, 2012 9:02 PM
ETA: My post now shows at the bottom, but as the thread grows, with no new responses to my response or the OP, it moves further and further from here.
- Edited by PRDIT Monday, November 26, 2012 9:03 PM
Hi ,
Do you have any antivirus on xp client ? if yes, please disable it and test again.
And please ping autodiscover.domain.com to verify if it can discover it.
Please check if the certificate include autodiscover.domain.com.
Please also try login Outlook use the same user on Win7.
Hi ,
Do you have any antivirus on xp client ? if yes, please disable it and test again.
And please ping autodiscover.domain.com to verify if it can discover it.
Please check if the certificate include autodiscover.domain.com.
Please also try login Outlook use the same user on Win7.
The XP clients do have antivirus, disabling it made no difference.
autodiscover.<domain> is not included in our DNS, and as such, cannot be pinged. Likewise, there is no autodiscover certificate, and no certificate with autodiscover included.
Outlook works fine in Win7 consistently.
I could add autodiscover to DNS manually, but I am not sure whether or not I should try this. Note that once credentials are entered, Outlook works fine on the XP machines (they aren't prompted for cerdentials again until Outlook is closed). No server information was manually entered, so obviously it was gathered from AD like it should be. Is there really any possibiity that the autodiscover name is needed in this case?
Hi ,
Is there certificate warnning when you logon outlook on the xp client ?
You can test on the following page to confirm whether there is certificate issue.
Hi ,
Is there certificate warnning when you logon outlook on the xp client ?
You can test on the following page to confirm whether there is certificate issue.
There was a certificate warning initially, but I got that straightened out. To be clear, I can tell you that we have external and internal devices connecting fine. I haven't seen any certificate warnings since I started this thread. I have the following warnings when I do an Outlook Anywhere connectivity test:
1)
Analyzing the certificate chains for compatibility problems with versions of Windows. | |||||
Potential compatibility problems were identified with some versions of Windows. | |||||
|
I am fairly certain this is not a problem, because I am using WSUS and root certificate updates seem to come through fine.
2)
Attempting to ping RPC proxy mail.prd-inc.com. | |||||
RPC Proxy can't be pinged. | |||||
|
I am not sure what to make of this.
In case it is relevant, I should note that I provided the connectivity information for the test, as there is no autodiscover dns entry.- Edited by PRDIT Monday, November 26, 2012 3:13 PM autodiscover info added
Hi ,
Did you add autodiscover record on DNS ?
And whats the results ?
Hi ,
Did you add autodiscover record on DNS ?
And whats the results ?
No, does an internal XP machine use autodiscover DNS? If so, why are they connecting without it at all? I believe the autodiscover issue is external only, and it isn't affecting us (even on external [rim,android,ios] devices, which we have working fine). I can add autodiscover, but I would like to understand wat it could possibly have to do with prompts for credentials first.
I am also
having the same issue as you. I am running windows XP with outlook 2010
connecting to exchange 2013. I receive the credentials prompt for my XP
workstation inside the network but none of my windows 7 boxes have any issues.
Did you find the resolution for this?<o:p></o:p>
Thanks
David
- Marked as answer by PRDIT Wednesday, January 02, 2013 5:54 PM
I have the same question for Internet Explorer 6, 7 and 8
http://social.technet.microsoft.com/Forums/en-US/ieitpropriorver/thread/c379f745-2215-463a-b6cb-aa032e803970/#c379f745-2215-463a-b6cb-aa032e803970
we always got the logon prompt, even though we didn't want it
We have the same problem, but it happens with Internet Explorer instead.
Doesnt matter if you type the right or the wrong password, IE always prompt for password.
Yeap, my english is too bad...
The root question is: "why the save option doesn't work?"
Proxy settings:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 50 auth_param ntlm keep_alive on auth_param basic program /usr/lib/squid3/squid_ldap_auth -R \ -b "DC=domain,DC=local" \ -D "CN=Squid Proxy,OU=TI,OU=Domain,DC=domain,DC=local" \ -W passldap \ -f "sAMAccountName=%s" \ -h domain.local auth_param basic children 20 auth_param basic realm Domain Internet Proxy auth_param basic credentialsttl 8 hours external_acl_type ADS children=50 ipv4 ttl=60 %LOGIN /usr/lib/squid3/squid_ldap_group -S -K -b "DC=domain,DC=local" -f "(&(objectclass=person)(sAMAccountName=%v)(memberof =CN=%a,OU=Domain,DC=domain,DC=local))" -D "CN=Squid Proxy,OU=TI,OU=Domain,DC=domain,DC=local" -s sub -W ldappass domain.localtks.
Try this trick:
http://sumoomicrosoft.blogspot.ru/2012/12/exchange-2013-outlook-keeps-asking-for.html
Solution:
Edit group policy Lan Manager Authetification level, set it to Send NTLM responses only or above.
or
You must set the LmCompatibilityLevel on your client to a value of 2 or 3. To do this, follow these steps.
1. Click Start, click Run, type regedit in the Open box, and then press ENTER.
2. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\
3. In the right pane, double-click lmcompatibilitylevel.
4. In the Value data box, type a value of 2 or 3 that is appropriate for your environment,
and then click OK.
5. Quit Registry Editor.
6. Restart your computer.
I've tried it already, but doesnt work.
I've changed my squi proxy settings, now it works. =)
I was able to resolve this issue:
You have to generate a new self-signed certificate in the iis8 of the Exchange. The "builtin" certificate is for the name "server" (not the FQDN) and not for "server.contoso.com"
XP insists on having the correct certificate in its storage. Correct means, the certificate is for the same name as the proxy being used to connect to the exchange. The one with msstd:server.contoso.com....
Generate the certificate for server.contoso.com (this can now be done without having an own CA) on your Exchange, distribute it via GPO or import it manually an everything works like a charm, even on WinXP with Outlook 2010.
- Proposed as answer by DmitryK Friday, April 26, 2013 11:55 AM
I didn't undestand exactly how you solved the problem.
I already have the certificate on IIS for exchange.mydomin.com, do I need to import that certificate on Windows XP client? Right click - install certificate?
Thank you in advance.
is exchange.maydomain.com your local domain or your domain in the www?
you need a certificate for the name, that outlook uses in its proxy settings to connect to the exchange server. this certificate needs to be installed in the local computer storage. I've done that via a gpo, but manual installation should also work.
I've the same problem:
I have installed a new Echange Server 2013 in the Organization. I've configured the Mail Flow, domains and so on.
I have installed certificates and when using OWA, all the users can see the email.
I have configured Outlook 2010 on Windows 7 and on Windows XP with service pack 3.
I have no problem with Windows 7 but when I try to connecto to Exchange from Windows XP system, Outlook can't connect to Exchange Server.
My domains are: mail.external.com as internet domain and SRV1.domain.local for the local domain.
What I don't understand is: what have I to set when I generate the self-signed certificate in order to do it for the servername ? You mean to do it by EAC right?
And then, when I've exported it (from EAC), which certificate folder have I to use in XP where to import it?
Thanks in advance
Alberto
- Edited by Alberto Lessi Wednesday, September 11, 2013 6:01 PM
Hi
Ran into the same problem on my LAB. Windows 7 computer with Outlook 2007 and newer could connect. Windows XP computer with Outlook 2007 and newer I could configure to use Exchange 2013, but it kept on prompting for credentials when opeing Outlook. Looked everywhere on the Internet, but could not find anything. All solutions for other people did not work for me. I stumbled upon this website - http://arstechnica.com/civis/viewtopic.php?t=1200405.
This is exactly what happened to my XP computer. The only way I could get Outlook on XP to connect to Exchange 2013 was to change the "Logon Network Security" to "Password Authentication (NTLM)" on security tab under more settings in Outlook.
Outlook will then connect and after some time or when I close and open Outlook again, it will prompt me for credentials again and the setting have changed back to Negotiate.
How my settings was when running powershell - Get-OutlookAnywhere | Fl Identity,*auth*
Identity : Exch2013Server\Rpc (Default Web Site)
ExternalClientAuthenticationMethod : Negotiate
InternalClientAuthenticationMethod : Negotiate
IISAuthenticationMethods : {Negotiate}
What I did to resolve and get Outlook to connect with Negotiate setting. Outlook proxy setting is on NTLM.
Set-OutlookAnywhere -Identity "Exch2013Server\Rpc (Default Web Site)" -IISAuthenticationMethods Basic,Ntlm,Negotiate
This was the result running the Get command above again
Identity : Exch2013Server\Rpc (Default Web Site)
ExternalClientAuthenticationMethod : Negotiate
InternalClientAuthenticationMethod : Negotiate
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}
Did a iisrest on Exch2013Server
Went to XP computer and opened Outlook and Outlook opened and connected to Exch2013 without prompting me for credentials. Went into the settings for Outlook and it is set to Negotiate (The way it defaulted back to after some time). Closed Outlook and it connected again. Restarted computer and Outlook still connected without prompting me.
Regards,
SuperBulls
I follow ED Crawley.
I just change common certificate name match with outlookanywhere name and that's it.
You save me again Ed Crawley
- Edited by Supawat Rungsarityotin Monday, November 11, 2013 6:23 AM
no It is no expected behavior, Microsoft is group of loosers ! :-)
you can use this script for repair "password prompting"
http://jaworskiblog.com/2013/04/13/setting-internal-and-external-urls-in-exchange-2013/
the main goal is set
Set-OutlookAnywhere -Identity $ExServer\Rpc (Default Web Site) -InternalHostname $internalName -ExternalHostName $ExternalName -InternalClientAuthenticationMethod ntlm -InternalClientsRequireSsl:$True -ExternalClientAuthenticationMethod Basic -ExternalClientsRequireSsl:$True
The both clients sites Internal and External has to be set for SSL !
Hi Ed, sorry for "noobing", what is OP. :-)
Hi,
The solution of problem I found is:
1. Disable Autodiscover for user - in windows profile
To do this (Outlook 2007) I set registers:
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\AutoDiscover]
"ExcludeScpLookup"=dword:00000001
"ExcludeHttpRedirect"=dword:00000001
"ExcludeHttpsAutoDiscoverDomain"=dword:00000001
"ExcludeHttpsRootDomain"=dword:00000001
"PreferLocalXML"=dword:00000001
"ExcludeSrvRecord"=dword:00000001
2. Uncheck option "only connect to proxy servers that have this principal in there certificate" in connection settings
( I am using Basic Autentication)
That's it. Works for me (Exch2013, Outlook2007 on WinXP)
I hope this way could help someone...
Regards
- Proposed as answer by WereWolf00 Thursday, April 24, 2014 10:50 AM
- Marked as answer by PRDIT 14 hours 37 minutes ago
Hi,
i have solved this issue.
i had the same Problem with Windows XP and Office 2010. On Windows 7 and Office 2010 it works fine then ive tested with Office 2007 and Win XP and it also works fine.
It seems to be that issue occurs if Office 2010 ist installed with SP2 and all patches are installed.
However, i have reinstall Office 2010 without any Service Pack and without any Updates and it works fine.
I dont know what exactly is responsible for the problem but Windows XP and Office 2010 Without SP and Update seems to work fine.
Hope this is helpful.
Windows XP Machines Always Prompt for Credentials (Exchange 2013, Outlook 2010)
On XP workstation I Set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel = 2
Rebooted XP workstation then Outlook did not prompt for credentials
Thanks Ed. This resolved my issue:
Set-OutlookProvider EXPR -CertPrincipalName:msstd:mail.company.com
After running the command issue iisreset.
- Proposed as answer by AntonyFats Monday, November 24, 2014 4:03 PM
I all,
I had the same problem.
Scenario Windows XP SP3, Outlook 2010 SP2 (13.0.7015.1000) ;
CAS on Exhange Server 2013 SP1 (CU4); WIndows Server 2012 R2;
The autodicosver works fine, without configurinte any CertProvider name, here below the EMS output:
[PS] C:\>Get-OutlookProvider |fl Identity, CertPrincipalName
Identity : EXCH
CertPrincipalName :
Identity : EXPR
CertPrincipalName :
Identity : WEB
CertPrincipalName :
The problem was related to the Authentication set to NTLM Exchange side.
Windows XP get stuck trying to connect to Exchange.
We modified the following with "Basic AuthenticatioN" and it works like a charm:
PS] C:\>Get-OutlookAnywhere | Fl Identity,*auth*
Identity : xxxxxx\Rpc (Default Web Site)
ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod : Basic
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}
The Outlook Client Configuration on Windows XP , now has "Basic Authentication":
Solved !!!! Thanks :)Hi,
The solution of problem I found is:
1. Disable Autodiscover for user - in windows profileTo do this (Outlook 2007) I set registers:
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\AutoDiscover]
"ExcludeScpLookup"=dword:00000001
"ExcludeHttpRedirect"=dword:00000001
"ExcludeHttpsAutoDiscoverDomain"=dword:00000001
"ExcludeHttpsRootDomain"=dword:00000001
"PreferLocalXML"=dword:00000001
"ExcludeSrvRecord"=dword:000000012. Uncheck option "only connect to proxy servers that have this principal in there certificate" in connection settings
( I am using Basic Autentication)That's it. Works for me (Exch2013, Outlook2007 on WinXP)
I hope this way could help someone...
Regards